From f76b314f1f04929035ed12e7d597311a3345a51d Mon Sep 17 00:00:00 2001 From: Anne van Kesteren <annevk@annevk.nl> Date: Wed, 10 Feb 2021 17:02:33 +0100 Subject: [PATCH] Adjust web+ scheme security considerations to account for FTP removal Also, network scheme is now reduced to HTTP(S) scheme. Helps with #5375, but form submission issue remains. See https://github.com/whatwg/fetch/pull/1166 for context. --- source | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/source b/source index 8ae7c01efb2..6770ccf7fee 100644 --- a/source +++ b/source @@ -2495,7 +2495,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute <li><dfn><code>about:blank</code></dfn></li> <li>An <dfn data-x-href="https://fetch.spec.whatwg.org/#http-scheme">HTTP(S) scheme</dfn></li> <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#local-scheme">local scheme</dfn></li> - <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#network-scheme">network scheme</dfn></li> <li>A <dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-scheme">fetch scheme</dfn></li> <li><dfn data-x-href="https://fetch.spec.whatwg.org/#http-cors-protocol">CORS protocol</dfn></li> <li><dfn data-x="default-user-agent-value" data-x-href="https://fetch.spec.whatwg.org/#default-user-agent-value">default `<code>User-Agent</code>` value</dfn></li> @@ -9252,7 +9251,7 @@ partial interface <dfn id="document" data-lt="">Document</dfn> { context</span> is null.</li> <li>A <code>Document</code> whose <span data-x="concept-document-url">URL</span>'s <span - data-x="concept-url-scheme">scheme</span> is not a <span>network scheme</span>.</li> + data-x="concept-url-scheme">scheme</span> is not an <span>HTTP(S) scheme</span>.</li> </ul> @@ -117970,16 +117969,13 @@ interface <dfn>MimeType</dfn> { <dd>Scheme-specific.</dd> <dt>Interoperability considerations:</dt> <dd>The scheme is expected to be used in the context of web applications.</dd> -<!--ADD-TOPIC:Security--> <dt>Security considerations:</dt> <dd> Any web page is able to register a handler for all "<code data-x="">web+</code>" schemes. As - such, these schemes must not be used for features intended to be core platform features (e.g. - network transfer protocols like HTTP or FTP). Similarly, such schemes must not store - confidential information in their URLs, such as usernames, passwords, personal information, or - confidential project names. + such, these schemes must not be used for features intended to be core platform features (e.g., + HTTP). Similarly, such schemes must not store confidential information in their URLs, such as + usernames, passwords, personal information, or confidential project names. </dd> -<!--REMOVE-TOPIC:Security--> <dt>Contact:</dt> <dd>Ian Hickson <ian@hixie.ch></dd> <dt>Change controller:</dt>